Forum Discussion
CirrostratusRestrict access to unpublished directories in Exchange
Hello,
I have a requirement to allow access to certain directories within the Exchange IIS server. For e.g users are only required to get to /owa , /oab or /ews etc and access to all other directories should be dropped.
When a user connects to webmail , they come in through the URL "https://webmail.company.com" and then the "/owa" gets appended. I wrote some rules to achieve this , but however realized that the rules I wrote will only work if a user actually types in the URL " https://webmail.company.com/owa" or similar. However most of our users come in "https://webmail.company.com" and the rule does not work and if fact when i apply the rule , the appending of owa stops working as well and a user is presented with the default IIS page.
I would appreciate some help in getting this rule right. I have pasted the rule I created below:
when HTTP_REQUEST { if {[HTTP::uri] equals "/oab"} {HTTP::redirect "https://[HTTP::host]/oab" if {[HTTP::uri] equals "/ews"} {HTTP::redirect "https://[HTTP::host]/ews" if {[HTTP::uri] equals "/rpc"} {HTTP::redirect "https://[HTTP::host]/rpc" if {[HTTP::uri] equals "/cvwebrecall"} {HTTP::redirect "https://[HTTP::host]/cvwebrecall" if {[HTTP::uri] equals "/autodiscover"} {HTTP::redirect "https://[HTTP::host]/autodiscover/autodiscover.xml" if {[HTTP::uri] equals "/"} {HTTP::redirect "https://[HTTP::host]/owa" }
Thanks,
Karthik
4 Replies
Brad_Parker_139Nacreous
I assume you have a separate HTTP and HTTP VS. Just have you HTTP vip doing a 301 redirect to https://[HTTP::host][HTTP::uri] then you can use an iRule like this on your HTTPS VS to restrict access to you defined allowed paths. All paths will be blocked that are not in the switch command.
when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/" { HTTP::respond 301 noserver "https://[HTTP::host]/owa" } "/autodiscover" { HTTP::respond 301 no server "https://[HTTP::host]/autodiscover/autodiscover.xml" } "/oab*" - "/esw*" - "/rpc*" - "/cvwebrecall*" - "/owa*" { return } default { reject } } }
Karthik_Krishn1Hi Brad, Thanks the rule. I tried it but when I do apply it , the page will not even display.
- Brad_Parker
Cirrus
I assume you have a separate HTTP and HTTP VS. Just have you HTTP vip doing a 301 redirect to https://[HTTP::host][HTTP::uri] then you can use an iRule like this on your HTTPS VS to restrict access to you defined allowed paths. All paths will be blocked that are not in the switch command.
when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/" { HTTP::respond 301 noserver "https://[HTTP::host]/owa" } "/autodiscover" { HTTP::respond 301 no server "https://[HTTP::host]/autodiscover/autodiscover.xml" } "/oab*" - "/esw*" - "/rpc*" - "/cvwebrecall*" - "/owa*" { return } default { reject } } }- Karthik_Krishn1Hi Brad, Thanks the rule. I tried it but when I do apply it , the page will not even display.
